Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please Help! Seems like routing issue possibly Nat?

Hi all,

I have an ASA5510 software ver 7.2  I will post most of the config below however I believe I am missing something simple so here goes.

Internal server 10.10.1.9 /24

ASA inside interface 10.10.1.1 /24

ISP Router 10.10.1.250 /24

Across the WAN at a different location 10.1.6.240 /24

From 10.10.1.9 I can ping 10.10.1.1 but CAN NOT ping anything past this. However if I manually add a routing entry into the 10.10.1.9 server I can then tracert my way through to 10.1.6.240.  We currently have all our connections VPN'd so this is what we are doing for now until this is resolved. Tracert'ing from 10.1.6.240 I see all the hops but dies at the firewall.  Please Help!!   Below is most the the config

testmexicoASA# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside-acl; 10 elements

access-list outside-acl line 1 extended permit icmp any any (hitcnt=2292)

access-list outside-acl line 2 extended permit tcp any any eq ssh (hitcnt=0)

access-list outside-acl line 3 extended permit ip 207.164.62.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=207)

access-list outside-acl line 4 extended permit ip 10.1.10.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 5 extended permit ip 192.168.8.0 255.255.252.0 10.10.1.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 6 extended permit ip 207.164.62.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 7 extended permit ip 10.1.10.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 8 extended permit ip 10.1.6.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 9 extended permit ip 192.168.8.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)

access-list outside-acl line 10 extended permit ip 10.1.6.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)

access-list inside_nat0_outbound; 6 elements

access-list inside_nat0_outbound line 1 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=0)

access-list inside_nat0_outbound line 2 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)

access-list inside_nat0_outbound line 3 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list inside_nat0_outbound line 4 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)

access-list inside_nat0_outbound line 5 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)

access-list inside_nat0_outbound line 6 extended permit ip any 10.10.2.240 255.255.255.240 (hitcnt=0)

access-list outside_cryptomap_20; 6 elements

access-list outside_cryptomap_20 line 1 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=7)

access-list outside_cryptomap_20 line 2 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list outside_cryptomap_20 line 3 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)

access-list outside_cryptomap_20 line 4 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list outside_cryptomap_20 line 5 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)

access-list outside_cryptomap_20 line 6 extended permit ip 10.10.1.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)

access-list outside_cryptomap_40; 1 elements

access-list outside_cryptomap_40 line 1 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)

access-list outside_cryptomap_60; 1 elements

access-list outside_cryptomap_60 line 1 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=20)

access-list testout-acl; 7 elements

access-list testout-acl line 1 extended permit ip 10.10.1.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)

access-list testout-acl line 2 extended permit ip 10.10.1.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list testout-acl line 3 extended permit ip 10.10.1.0 255.255.255.0 192.168.8.0 255.255.252.0 (hitcnt=0)

access-list testout-acl line 4 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)

access-list testout-acl line 5 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list testout-acl line 6 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)

access-list testout-acl line 7 extended permit ip 10.10.2.0 255.255.255.0 192.168.8.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound; 6 elements

access-list inside2_nat0_outbound line 1 extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound line 2 extended permit ip 10.10.2.0 255.255.255.0 207.164.62.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound line 3 extended permit ip 10.10.2.0 255.255.255.0 10.1.10.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound line 4 extended permit ip 10.10.2.0 255.255.255.0 10.1.6.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound line 5 extended permit ip 10.10.2.0 255.255.255.0 192.168.8.0 255.255.255.0 (hitcnt=0)

access-list inside2_nat0_outbound line 6 extended permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)

access-list testMex_splitTunnelAcl; 1 elements

access-list testMex_splitTunnelAcl line 1 standard permit any (hitcnt=0)

testmexicoASA# sh route

S 0.0.0.0 0.0.0.0 [1/0] via 201.116.156.1, outside

S 10.1.6.0 255.255.255.0 [1/0] via 10.10.1.250, inside

S 10.1.10.0 255.255.255.0 [1/0] via 10.10.1.250, inside

S 10.1.20.0 255.255.255.0 [1/0] via 10.10.1.250, inside

C 10.10.1.0 255.255.255.0 is directly connected, inside

C 10.10.2.0 255.255.255.0 is directly connected, inside2

C 201.116.156.0 255.255.255.240 is directly connected, outside

NAT configuration

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside2) 0 access-list inside2_nat0_outbound

nat (inside2) 1 0.0.0.0 0.0.0.0

access-group outside-acl in interface outside

access-group testout-acl out interface inside

Everyone's tags (3)
1 REPLY
New Member

Re: Please Help! Seems like routing issue possibly Nat?

One more thing I should clarify the route I am putting into the 10.10.1.9 server is

route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything).  The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.

Thanks in advance.

413
Views
0
Helpful
1
Replies